Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and Russia after years of silence. Learn about its new tactics and modular design.
Cybercriminals are constantly developing new malware for cyberattacks. These malicious tools have varying lifespans; some malware families have been tracked for decades, while others vanish from public awareness relatively quickly. In 2021, Kaspersky researchers discovered one such short-lived implant during their investigation of the CVE-2021-40449 zero-day vulnerability, which they dubbed MysterySnail RAT.
At the time of its discovery, MysterySnail RAT was linked to IronHusky APT, a Chinese-speaking threat group active since at least 2017. After the initial report, no further public details about this malware emerged.
However, recent observations have uncovered attempted deployments of a new version of MysterySnail RAT targeting government entities in Mongolia and Russia. This targeting aligns with previous intelligence indicating IronHusky’s specific interest in these two countries dating back to 2018, suggesting the RAT has been active covertly for several years.
A recent infection began with a malicious MMC script disguised as a document from Mongolia’s National Land Agency (ALAMGAC). This script downloaded a ZIP archive from fileio, which contained a secondary malicious component and a decoy DOCX file. The script would then extract the archive, placing the decoy in %AppData%\Cisco\Plugins\X86\bin\etc\Update, and execute CiscoCollabHost.exe from the archive. For persistence, it configured CiscoCollabHost.exe to run at start-up and opened the decoy document to deceive the user.
While CiscoCollabHost.exe was legitimate, the archive also held a malicious DLL named CiscoSparkLauncher.dll, designed for DLL Sideloading by the legitimate process, acting as a new intermediary backdoor. This backdoor facilitated C2 communication by leveraging the open-source piping-server project.
The new version can execute around 40 commands, enabling various malicious activities like file system management, command execution via cmd.exe process creation and termination, service management, and network resource connection.
Unlike the 2021 samples, the new version uses five additional DLL modules for command execution, a key upgrade from the previous version’s single malicious component.
Moreover, it was configured to establish persistence on infected machines as a service, and the malicious DLL loads a payload encrypted using RC4 and XOR algorithms. Upon decryption, it gets loaded into memory through DLL hollowing, facilitated by code within the run_pe library.
Following the disruption of recent MysterySnail RAT intrusions, the threat actors persisted by deploying a modified, single-component variant named MysteryMonoSnail. This streamlined version communicated with the same C2 servers as the original RAT but utilised the WebSocket protocol instead of HTTP and possessed a reduced set of only 13 basic commands, enabling actions like listing directories, writing files, and launching processes and remote shells.
The return of MysterySnail RAT shows how old malware doesn’t just disappear; they evolve. It’s also a reminder that staying on top of new and resurfacing cybersecurity threats is key to keeping systems secure.
